From 3c03fef28f2b2a0f1eb44a800d8374b1ad96145c Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Wed, 4 Sep 2024 16:18:13 +0200 Subject: [PATCH 1/2] safety: clarify reason to ignore CVE --- .safety-policy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.safety-policy.yml b/.safety-policy.yml index cba25ff0..ea44e7e6 100644 --- a/.safety-policy.yml +++ b/.safety-policy.yml @@ -39,7 +39,7 @@ report: reason: We get these packages from Debian, zipp is not used in production, and its only a DoS. expires: '2026-08-31' 72236: - reason: setuptools comes from Debian + reason: setuptools is not used in production to download or install packages, they come from Debian. expires: '2026-08-31' fail-scan-with-exit-code: From b669ce654d102d94dee6da39ff03582b3503e6c6 Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Wed, 4 Sep 2024 16:09:44 +0200 Subject: [PATCH 2/2] gitlab-ci: only trigger safety job if API key is present --- .gitlab-ci.yml | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 9f18ce63..39ec8223 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -262,18 +262,21 @@ lint_format_bandit_checks: # so important to scan that kind of install in CI. # https://docs.safetycli.com/safety-docs/installation/gitlab safety: - only: - changes: - - .gitlab-ci.yml - - .safety-policy.yml - - pyproject.toml - - setup.py image: debian:bookworm-slim + rules: + # once only:/changes: are ported to rules:, this could be removed: + - if: $CI_PIPELINE_SOURCE == "merge_request_event" + when: never + - if: $CI_PIPELINE_SOURCE == "push" && $SAFETY_API_KEY + changes: + - .gitlab-ci.yml + - .safety-policy.yml + - pyproject.toml + - setup.py <<: *apt-template variables: LANG: C.UTF-8 script: - - test -n "$SAFETY_API_KEY" || exit 0 - apt-get install fdroidserver python3-biplist